Application Verifier - Stop Codes - NTLM

The following stop codes are contained in this set of tests.

AcquireCredentialsHandle acquires NTLM credential explicitly.

AcquireCredentialsHandle is called directly or indirectly by the application with pszPackage = 'NTLM'. 'Negotiate' should be used to fix this issue. An example of bad call: AcquireCredentialsHandle( ... 'NTLM', // pszPackage ... ); An example of good call: AcquireCredentialsHandle( ... 'Negotiate', // pszPackage ... ); Please refer to help for more detailed information of this stop code.

• Parameter 1 - Not used.
• Parameter 2 - Not used.
• Parameter 3 - Not used.
• Parameter 4 - Not used.

• Test Layer: NTLMCaller
• Stop ID: ACH_EXPLICIT_NTLM_PACKAGE
• Stop code: 5000000
• Severity: Error
• One-time error: no
• Error report: Break
• Log to file: yes
• Create backtrace: yes

AcquireCredentialsHandle prefers NTLM credentials. Please see Param1 for the value of PackageList.

AcquireCredentialsHandle is called directly or indirectly by the application with pszPackage = 'Negotiate'. However, NTLM is preferred in supplied credential (pAuthData). An example of bad call: AcquireCredentialsHandle( ... 'Negotiate', // pszPackage ... pAuthData, // pAuthData, ((SEC_WINNT_AUTH_IDENTITY_EX*)pAuthData)->PackageList is 'NTLM' or 'NTLM,KERBEROS' etc. ... ); An example of good call: AcquireCredentialsHandle( ... 'Negotiate', // pszPackage ... pAuthData, // pAuthData, ((SEC_WINNT_AUTH_IDENTITY_EX*)pAuthData)->PackageList = NULL or NTLM is less preferred. ... ); Please refer to help for more detailed information of this stop code.

• Format: - Packagelist: %.*hs%.*ws
• Parameter 1 - PackageList.
• Parameter 2 - Not used.
• Parameter 3 - Not used.
• Parameter 4 - Not used.

• Test Layer: NTLMCaller
• Stop ID: ACH_IMPLICITLY_USE_NTLM
• Stop code: 5000001
• Severity: Error
• One-time error: no
• Error report: Break
• Log to file: yes
• Create backtrace: yes

AcquireCredentialsHandle mistakenly uses '-NTLM' to exclude NTLM credential. Please see Param1 for the value of PackageList.

AcquireCredentialsHandle is called directly or indirectly by the application with supplied credential (pAuthData), in which '-NTLM' is mistakenly used to exclude NTLM credential. '!NTLM' should be used to fix this issue. An example of bad call: AcquireCredentialsHandle( ... 'Negotiate', // pszPackage ... pAuthData, // pAuthData, ((SEC_WINNT_AUTH_IDENTITY_EX*)pAuthData)->PackageList uses '-NTLM'. ... ); An example of good call: AcquireCredentialsHandle( ... 'Negotiate', // pszPackage ... pAuthData, // pAuthData, ((SEC_WINNT_AUTH_IDENTITY_EX*)pAuthData)->PackageList uses '!NTLM'. ... ); Please refer to help for more detailed information of this stop code.

• Format: - PackageList: %.*hs%.*ws
• Parameter 1 - PackageList.
• Parameter 2 - Not used.
• Parameter 3 - Not used.
• Parameter 4 - Not used.

• Test Layer: NTLMCaller
• Stop ID: ACH_BAD_NTLM_EXCLUSION
• Stop code: 5000002
• Severity: Error
• One-time error: no
• Error report: Break
• Log to file: yes
• Create backtrace: yes

InitializeSecurityContext uses NULL target or malformed target for Kerberos service. Please see pszTargetName for the value of the target.

InitializeSecurityContext is called directly or indirectly by the application with pszTargetName being NULL or malformed, with which Kerberos cannot be possibly negotiated. The guidance to fix this issue to use Kerberos is provided as below: (1) The service the client application authenticates to should have its SPN uniquely registered in its forest; (2) The service must run under the identity,domain user or computer account, with this SPN registered; (3) InitializedSecuirtyContext should be called with this SPN. An example of bad call: InitializeSecurityContext( ... NULL, // pszTargetName ... ); Another example of bad call: InitializeSecurityContext( ... '\\\\localhost', // pszTargetName ... ); An example of good call: InitializeSecurityContext( ... 'myservice/mymachine.mydomain.com', // pszTargetName, myservice/mymachine.mydomain.com is a uniquely registered SPN under which the service runs. ... ); Please refer to help for more detailed information of this stop code.

• Format: - pszTargetName: %hs%ws
• Parameter 1 - Not used.
• Parameter 2 - Not used.
• Parameter 3 - Not used.
• Parameter 4 - Not used.

• Test Layer: NTLMCaller
• Stop ID: ISC_MALFORMED_TARGET
• Stop code: 5000003
• Severity: Error
• One-time error: no
• Error report: Break
• Log to file: yes
• Create backtrace: yes

The client application downgrades to use NTLM authentication as the result of negotiation. Please see pAuthData for more details. pAuthData shows the credential and the target used for this negotiation.

The client application downgrades to use NTLM authentication as the result of negotiation. There can be many reasons for this issue. The guidance of troubleshooting this issue is provided as below: (1) Turn on NTLMCaller appverifier layer if it was not on. This layer will catch commonly known issues that can cause the downgrade; (2) If pszTargetName is an SPN, make sure this SPN is uniquely registered in the forest (the SPN cannot be missing or duplicated); (3) The SPN must be looked up by the client system running client application; (4) The service must run under an identity with its Kerberos credential available; (5) The scenario should be reviewed by Windows security experts. Please refer to help for more detailed information of this stop code.

• Format: - pAuthData: %ws \n\tUser: %hs%ws \n\tDomain: %hs%ws \npszTargetName: %hs%ws
• Parameter 1 - Not used.
• Parameter 2 - Not used.
• Parameter 3 - Not used.
• Parameter 4 - Not used.

• Test Layer: NTLMDowngrade
• Stop ID: FALLBACK_TO_NTLM
• Stop code: 5010000
• Severity: Warning
• One-time error: no
• Error report: None
• Log to file: yes
• Create backtrace: yes

See Also

Application Verifier - Stop Codes and Definitions

Application Verifier - Overview

Application Verifier - Features

Application Verifier - Testing Applications

Application Verifier - Tests within Application Verifier

Application Verifier - Debugging Application Verifier Stops

Application Verifier - Frequently Asked Questions